54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f

General

Target

54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe
Size

548KB
MD5

07f350fc82c902bc86a47b26cd3fbff0
SHA1

0a67832785a42fbc4daa2facaeab85999619e8aa
SHA256

54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f
SHA512

8f0d0f9176b456b916545463d62d6e65f4559a1152adec6fca2d65d25ccef31c011ab30056fed27b3e6b1de71729b6cafd0abcd9c335300ae734549db621645f
SSDEEP

12288:X0bun/W34ZZJ1cjCT3bgO16bYzdUTOokFSH/UjwjWOXsSMc0cacy+:X0bbvjiJ1n5loxUNSMc0Z

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1940	2X8HVZ.exe

Loads dropped DLL 2 IoCs

pid	Process
1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe
1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1960	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1960	WINWORD.EXE
1960	WINWORD.EXE
1960	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1940	1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe	27
PID 1824 wrote to memory of 1940	1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe	27
PID 1824 wrote to memory of 1940	1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe	27
PID 1824 wrote to memory of 1940	1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe	27
PID 1824 wrote to memory of 1960	1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe	28
PID 1824 wrote to memory of 1960	1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe	28
PID 1824 wrote to memory of 1960	1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe	28
PID 1824 wrote to memory of 1960	1824	54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe	28

C:\Users\Admin\AppData\Local\Temp\54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe
"C:\Users\Admin\AppData\Local\Temp\54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Roaming\JNUVD7\2X8HVZ.exe
  "C:\Users\Admin\AppData\Roaming\JNUVD7\2X8HVZ.exe" -launcher
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe--.docx"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54d31c46d09b5848bf31f25fe60be61955b513ae74e3f88b847afb757e29d62f.exe--.docx

Filesize
296KB

MD5
252fb563a316229eb0cff9bc58b48c79

SHA1
2150f4903481cb3e7ead0d655ad477dd2d0dd53b

SHA256
2480d3f7583da57538eab32b3e2c9f155d7d2bb05662af48caab2405a43dd8ff

SHA512
37a219648635216dd1e25c668e00c3d323454872510d037df87aa6c3acc0fca50efa969a21118185cef366887031ca3fcc6f34c3bdd2b00ecb89e6341611198c

Download Submit
C:\Users\Admin\AppData\Roaming\JNUVD7\2X8HVZ.exe

Filesize
227KB

MD5
2a6e093535f97571ad659d6639dfd51f

SHA1
23a661afa9db77e9c9051ba83633f4082f591f10

SHA256
42e54dcb4ac266a981138fa70a61051b033b493050440d8c387d05c0a76d6cb3

SHA512
740a0f7d50c121baeed391615d46a4c996344c0d360ceaee65eaa1c3c87a20d977ad2732d9f89cd78229dcb21f49b2ee2fd10ee35161b59651ec625e622545d6

Download Submit
C:\Users\Admin\AppData\Roaming\JNUVD7\2X8HVZ.exe

Filesize
227KB

MD5
2a6e093535f97571ad659d6639dfd51f

SHA1
23a661afa9db77e9c9051ba83633f4082f591f10

SHA256
42e54dcb4ac266a981138fa70a61051b033b493050440d8c387d05c0a76d6cb3

SHA512
740a0f7d50c121baeed391615d46a4c996344c0d360ceaee65eaa1c3c87a20d977ad2732d9f89cd78229dcb21f49b2ee2fd10ee35161b59651ec625e622545d6

Download Submit
\Users\Admin\AppData\Roaming\JNUVD7\2X8HVZ.exe

Filesize
227KB

MD5
2a6e093535f97571ad659d6639dfd51f

SHA1
23a661afa9db77e9c9051ba83633f4082f591f10

SHA256
42e54dcb4ac266a981138fa70a61051b033b493050440d8c387d05c0a76d6cb3

SHA512
740a0f7d50c121baeed391615d46a4c996344c0d360ceaee65eaa1c3c87a20d977ad2732d9f89cd78229dcb21f49b2ee2fd10ee35161b59651ec625e622545d6

Download Submit
\Users\Admin\AppData\Roaming\JNUVD7\2X8HVZ.exe

Filesize
227KB

MD5
2a6e093535f97571ad659d6639dfd51f

SHA1
23a661afa9db77e9c9051ba83633f4082f591f10

SHA256
42e54dcb4ac266a981138fa70a61051b033b493050440d8c387d05c0a76d6cb3

SHA512
740a0f7d50c121baeed391615d46a4c996344c0d360ceaee65eaa1c3c87a20d977ad2732d9f89cd78229dcb21f49b2ee2fd10ee35161b59651ec625e622545d6

Download Submit
memory/1824-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1824-55-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1824-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1824-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1824-71-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1940-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-62-0x0000000000280000-0x00000000002A7000-memory.dmp

Filesize
156KB

Download
memory/1940-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1960-65-0x00000000720B1000-0x00000000720B4000-memory.dmp

Filesize
12KB

Download
memory/1960-66-0x000000006FB31000-0x000000006FB33000-memory.dmp

Filesize
8KB

Download
memory/1960-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1960-69-0x0000000070B1D000-0x0000000070B28000-memory.dmp

Filesize
44KB

Download
memory/1960-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1960-75-0x0000000070B1D000-0x0000000070B28000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing